Traffic classification is important for many reasons in delivering content to customers at the edge of communications networks. For example, Quality of Service (QoS) requires the traffic to be segregated first in order to assign packets to particular Classes of Service (CoS). A network operator can provide a different level of service to each class as well as a pricing structure.
Knowledge of traffic characteristics can help optimize the usage of the communications network infrastructure employed, and can help ensure a desired level of performance for applications/services important to the customers. The intention has always been that application requirements be considered in offering a level of service. Traditional methods of traffic detection and classification rely on monitoring logical port specifications typically carried in packet headers as, in the past, applications and/or services were, in a sense, assigned well known logical ports.
A large percentage of the traffic conveyed by communications networks today consists of peer-to-peer (P2P) traffic. Because peer-to-peer traffic is conveyed between pairs of customer network nodes, it is not necessary that a well known logical port be allocated, reserved, and assigned to traffic generated by applications generating peer-to-peer traffic and/or applications retrieving peer-to-peer content. Therefore known approaches to traffic classification are no longer valid as logical ports are undefined for peer-to-peer applications and/or logical ports may be dynamically allocated as needed such in the case of the standard File Transfer Protocol (FTP) and others.
Peer-to-peer content exchange techniques are increasingly being used to convey without permission content subject to intellectual property protection, such as music and movies. Network operators are under an increasing regulatory pressure to detect peer-to-peer traffic and to control illicit peer-to-peer traffic, while rogue users are seeking ways to defy traffic classification to avoid detection.
Besides peer-to-peer traffic detection, means and methods are being sought on a continual basis for detecting short duration traffic flows to help identify possible intrusions such as, but not limited to, Denial of Service (DOS) attacks.
Statistical billing is another domain in which knowledge of traffic characteristics is necessary. Network operators increasingly employ resource utilization measurements as a component in determining customer charges.
Returning to peer-to-peer traffic detection, not all peer-to-peer traffic is illicit: in view of the high levels of resource utilization demanded by peer-to-peer traffic, network operators may want to charge customers generating peer-to-peer traffic and retrieving peer-to-peer content more for their high bandwidth usage. Resource utilization alone is not always an adequate traffic characteristic differentiator as in many instances content conveyed to, and received from, multiple customers is aggregated at the managed edge and within the managed transport communications network.
Attempts to characterize traffic, to detect traffic types, with a view of classifying traffic, include Deep Packet Inspection (DPI) techniques. Deep packet inspection techniques are described by Sen S., Spatscheck O. and Wang D. in “Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures”, Proceedings of the 13th international conference on World Wide Web, New York, N.Y., 2004; and by Karagiannis T., Broido A., Faloutsos M., Claffy K. in “Transport layer identification of P2P traffic”, Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, Taormina, Sicily, Italy, 2004.
Proposed deep packet inspection techniques, as the name suggests, assume the availability of unlimited resources to inspect entire packets to the perform packet characterization. Therefore deep packet inspection incurs high processing overheads and is subject to high costs. Deep packet inspection also suffers from a complexity associated with the requirement of inspecting packet payloads at high line rates. For certainty, deep packet inspection is not suited at all for typical high throughput communications network nodes deployed in current communications networks. Deep packet inspection also suffers from a high maintenance overhead as the detection techniques rely on signatures, peer-to-peer applications, especially, are known for concealing their identities—a deep packet inspection detection signature that provides conclusive detection now may not work in the future, and another conclusive signature would have to be found and coded therein.
Traffic classification means and methods are being actively sought by network operators in order to determine the types of traffic present in a managed communications network for traffic and network engineering purposes, on-line marking of packets, quality of service assessment/assurance, billing, etc. In view of impending regulatory pressures, efficient detection and classification of peer-to-peer traffic is especially desired, as peer-to-peer traffic consumes large, disproportional percentages of bandwidth and other communication network resources. Network operators have to employ a combination of: peer-to-peer traffic control in order to reserve network resources for other types of traffic, charge peer-to-peer users different rates to curb behavior, and/or even block peer-to-peer completely in accordance with regulations imposed on network operators. There therefore is a need to solve the above mentioned issues to provide traffic classification means and methods which avoid the complexities of deep packet inspection and the pitfalls of logical port based packet classification.